Apache Killer Killed: Zero Day Exploit, Zero Day Fix

Early this morning word spread that there was a zero day exploit dubbed the "Apache Killer." The exploit uses malformed Apache byte-range headers to crash the web server. The exploit is effective against the latest versions of Apache as well as versions back to v1.3. Apache announced that they would release a patch within 96 hours. In the meantime, there are some suggested ways that people running Apache can deal with the attack.

At CloudFlare, we were asked almost immediately by several users whether CloudFlare protected against this exploit. The answer this morning was no. We faithfully pass through byte-range headers to the origin server and therefore would pass through the attack. The promise of CloudFlare, however, is that as these sorts of incidents come to light we can apply patches to our network to protect our users. So that's what we did.

As of now, about half of our network has implemented protection that will stop the Apache Killer exploit. We do this by limiting malformed or large numbers of byte-range headers from being relayed to the origin. We are running the fix in our busiest data centers and, assuming this initial rollout goes smoothly, we will roll it out to the whole network by the end of the day tomorrow. In other words, for a zero day exploit, we created a zero day fix.

There is nothing you have to change in your settings, the protection is automatic. If you are running Apache, we recommend you upgrade to the newest version as soon as the Apache team releases a fix. In the meantime, we're happy to be able to provide protection against this attack to CloudFlare users. If you're not already a CloudFlare user, you can sign up for free and get the protection immediately.

Update (25 Aug 2011 @ 18:00 GMT): the tests across our network went well and the fix has now been pushed live to the entire CloudFlare network. All CloudFlare-powered sites are now protected. Even with CloudFlare's fix in place, we still recommend you upgrade Apache to the latest version when the patch is released. Follow the Apache advisory for more details.